Despite the explosion of data and the large numbers data breaches, enterprises are not
doing enough to encrypt their backup data, according to a study conducted jointly by
security vendor Thales Group and Trust Catalyst.
The results of the study, released yesterday, show that backup tapes are neglected in
administrators’ security efforts. Of the 330 respondents from large enterprises
worldwide, 35 percent said they do not know whether or not they will encrypt their backup
“Traditionally, storage has been a domain in and of itself, and IT security has been
focusing on front-facing business applications, so they don’t pay that much attention to
security,” Kevin Bocek, director of product marketing at Thales, told InternetNews.com.
Not having a backup tape encryption plan could place an organization’s data at risk,
leading it into a breach of compliance. Data breaches can cause heavy financial losses,
as retail store chain
owner TJX discovered.
The storage department is more concerned with the cost and speed of data recovery than
with encryption, according to Bocek. Also, enterprises felt they lacked access to
technology adequate for enterprise-grade tape encryption.
“Previously, tape encryption technology used to be bolted on or would be an
application used for general backup, and some didn’t trust those to encrypt their tapes
for backup,” Bocek said.
The situation is changing, as more and more applications come with built-in
encryption. However, a new problem then emerges — managing the encryption keys. “If
you’re going to use encryption, you must have good key encryption, because if you lose
your keys, you lose your data,” Dave Hill, principal at analyst firm Mesabi Group, told InternetNews.com.
Keys should not all be given to one person, he added. “If they do something wrong,
either in error or maliciously, that could be a problem.”
For instance, giving control over all means of access to a system can lead to severe
consequences, as San Francisco found out when rogue system administrator
Terry Childs gained control over all the passwords to its fiber optic wide-area
Hill recommends enterprises have keys stored with a trusted third party “so somebody
can get them back in case of an emergency.”
Where the Keys Are
The Thales study found that most people do not know where to store their encryption
keys. More than 40 percent of the survey’s respondents answered that they didn’t know
where to store keys for seven out of 13 encryption apps. Most of the remainder stored
their encryption keys in software or on a disk, while very few stored the keys in a
dedicated appliance, which happens to be the market Thales is in.
“Key management issues will continue to be an issue for backup media,” Bocek said. He
added that the “very largest enterprises” are adopting encryption key management
appliances like the ones Thales sells. In the future, such appliances will be made for
medium-sized companies, Bocek said.
However, Mesabi Group’s Hill does not like the idea of dedicated appliances.
“If you keep the appliance inside your building, what happens if you have a disaster
and have to restore to a remote site?” he asked. Most companies “manage their keys
on-site, with a copy sent off to a trusted third party, and this seems to be
Article courtesy of InternetNews.com